ITSP.10.171 Compliance Statement

3. Detailed Alignment by Control Family

3.1 Access Control (AC)

DataPeak enforces access controls consistent with ITSP.10.171 requirements for account management, access enforcement, least privilege, and session control.

• SSO via SAML and OIDC

• Mandatory MFA for privileged roles

• Role-based access control (RBAC)

• Device trust and IP allowlisting

• Automatic session timeouts

• Logging of privileged actions

Outcome: Only authorized users, devices, and processes can access specified information.

3.2 Awareness & Training (AT)

• Annual security awareness training

• Role-based training for engineering and operations

• Phishing simulations

• Insider-threat awareness

Outcome: Personnel understand their responsibilities for protecting specified information.

3.3 Audit & Accountability (AU)

• Authentication, authorization, and data access logging

• Immutable log storage

• SIEM integration

• Timestamp integrity and alerting

Outcome: Unauthorized activity can be detected and investigated.

3.4 Configuration Management (CM)

• Infrastructure-as-Code (IaC)

• Hardened OS and container baselines

• Change control workflows

• Configuration drift detection

Outcome: Systems remain secure, consistent, and auditable.

3.5 Identification & Authentication (IA)

• MFA enforcement

• Device authentication

• OAuth2 for API access

• Passwordless authentication options

• Replay-resistant mechanisms

Outcome: Only authenticated users and devices gain access.

3.6 Incident Response (IR)

• 24/7 on-call security team

• Documented incident response plan

• Incident monitoring and reporting

• Tabletop exercises

• Customer notification SLAs

Outcome: Incidents are rapidly detected, contained, and communicated.

3.7 Maintenance (MA)

• Secure remote maintenance

• Logged and monitored sessions

• Pre-approved maintenance windows

• Vendor access restrictions

Outcome: Maintenance activities do not compromise confidentiality.

3.8 Media Protection (MP)

• No removable media usage

• Encrypted storage

• Secure deletion and sanitization

Outcome: Specified information is protected from unauthorized disclosure.

3.9 Personnel Security (PS)

• Background checks

• Role-based access provisioning

• Automated offboarding

• Privileged access reviews

Outcome: Only trusted personnel access sensitive systems.

3.10 Physical Protection (PE)

Inherited cloud provider controls include:

• 24/7 surveillance

• Multi-factor physical entry

• Redundant power and cooling

• Physical access logging

Outcome: Physical access is tightly controlled.

3.11 Risk Assessment (RA)

• Annual risk assessments

• Vulnerability scanning

• Threat modeling

• Risk response planning

Outcome: Risks are identified and mitigated.

3.12 Security Assessment & Monitoring (CA)

• Annual penetration testing

• Continuous monitoring

• POA&M tracking

• Security assessments

Outcome: Control effectiveness is maintained and improved.

3.13 System & Communications Protection (SC)

• TLS 1.2+/1.3 encryption in transit

• AES-256 encryption at rest

• Network segmentation

• WAF and DDoS protection

• Key management services

Outcome: Confidentiality is preserved during transmission and storage.

3.14 System & Information Integrity (SI)

• Flaw remediation and patching

• Malware protection

• Runtime monitoring

• Security alerting

Outcome: Threats are detected and remediated quickly.

3.15 Planning (PL)

• Security policies and procedures

• System Security Plans (SSPs)

• Rules of behaviour

• Architecture and data flow documentation

Outcome: Security planning is structured and documented.

3.16 System & Services Acquisition (SA)

• Secure SDLC practices

• SBOM generation

• Dependency scanning

• Supplier vetting

Outcome: Systems are securely designed and procured.

3.17 Supply Chain Risk Management (SR)

• Vendor risk assessments

• Contractual security requirements

• Continuous monitoring of critical suppliers

• Cloud provider inheritance

Outcome: Supply chain risks are controlled and monitored.

4. Shared Responsibility Model